T 5.22 Theft of a mobile IT system

Mobile use of an IT system carries the risk of new threats to which stationary IT systems are less exposed. Mobile systems such as laptops are normally not used in a room secured by protective measures. They are carried in cars or on public transport, set down in other people's offices during breaks and left unattended in hotel rooms.

Because of these environmental factors, mobile use of IT systems intrinsically exposes them to a higher risk of theft. It is not totally uncommon for mobile IT systems to be "accidentally" stolen, e.g. there might be a laptop in the boot of a car that happens to be stolen.

If a mobile IT system should be stolen it is also possible that any existing boot protection (boot/BIOS password) may be surmounted. For IT systems which do not have boot protection but whose protection relies exclusively on the authentication mechanism of the operating system (user name, password), an aggressor can access the data on the hard disk by booting up from a diskette or CD-ROM.

If the mobile IT system is integrated into a remote access system and automatic RAS connection (auto-dial, storage of authentication data) is enabled, an unauthorised third party could access resources on the destination LAN.

Example

The managing director of a large company had his laptop stolen during a business trip. The material loss was trivial as it was possible to obtain a new laptop within a day. Far more painful, however, was the loss of important customer data which had been stored on the laptop. No backup of this information existed as it had only been entered during the business trip.